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DETAILED ACTION 



1. 



This correspondence is in response to Amendments and REMARKS filed on July 09, 2008. 



2. 



Claims 1-12 are pending. 



Response to Arguments 



3. Applicant's arguments, see REMARKS, filed on 07/09/2008, with respect to Arrangement of the 
Specification have been fully considered and are persuasive. Therefore, the objection of the specification 
has been withdrawn. Additionally, Applicant has properly amended the abstract and the claims and 
overcomes the prior objections made. 

4. Applicant's arguments [regarding prior art rejections] filed on 07/09/2008 have been fully 
considered but they are not persuasive. 

Applicant argued, "The present invention relates to a device (claim 6 and independent claims) 
and method (claim 1 and dependent claims) for the detection and prevention of intrusions into a computer 
network, which allows for the prevention of such intrusions by detecting them before penetration of the 
network .' 1 

Examiner respectfully points out that both ASQ V.2 and YADAV disclose system and method of 
detection and prevention of intrusions before the intrusions penetrate into the network. For example, ASQ 
V.2 discloses detecting and preventing malicious codes before penetrating the network [see for example, 
page 1 , par.5, ". . .integrating this IPS (intrusion Prevention System) technology into the firewall enables 
the system to actively drop malicious traffic. As opposed to the IDS solutions that merely sniff traffic, 
send alarms.. .NETASQ IPS-Firewalls are able to pro-actively break illegitimate sessions before the last 
packets are transmitted, therefore, preventing attacks..."] [See also Real-time Monitoring and ... section 
disclosed in page 8] On the other hand, the Intrusion Detector (or Intrusion Detection System) of YADAV 
detects and blocks suspicious packets before they penetrate into the network [see for example, FIGS.2A 
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and 2B]; furthermore, YADAV discloses singling out the blocked packets for greater scrutiny [see for 
example, abstract]. 

Applicant argued, neither ASQ V.2 nor YADAV disclose "...the specific characteristics according 
to which the conformity check detects the information necessary to open secondary connections or 
induced connections and attaches these secondary or induced connections dynamically to the 
authorization of the main connection..." 

Examiner respectfully disagrees. First, Examiner notes that the claim presented for examination 
recites a "...dynamic authorization for communication..." and "...deliver a dynamic rejection for 
communication..." but does not disclose "dynamically attaching the secondary connection to the 
authorization of the main connection..." as Applicant argued. Second, independent Claim 1 recites, 
" . . .said on conformity detects the data necessary for opening said secondary connections and attaches 
said secondary connections to the authorization for connection..." ASQ V.2 discloses that it's IP — Firewall 
performs a multilayer traffic inspection and analysis [see for example, page 2] and dynamically filter 
packets [see for example, pages 3 and 4]. Additionally, ASQ V.2 discloses that "...Stateful inspection 
doesn't break the client server model, yet keeps track of each successful connection in a state-table. 
Packets arriving on the firewall are matched against this state-table..." YADAV also discloses the claim 
limitation. For example, YADAV discloses [see FIG.3] an application rule enforcer, which is component of 
an integrated intrusion detection system, identifying and cross checking the file properties of an invoked 
application. In addition, YADAV discloses a comparing module that compares a request with the 
application-specific network policy [which could be implemented as multi-tiered] and notify unauthorized 
request to the detector. 

5. Examiner asserts that ASQ V.2 and YADAV clearly disclosed the claimed invention and finds 
Applicant's argument unpersuasive. Therefore, the previous rejection is repeated and this action is made 
Final . 
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Claim Rejections - 35 USC §102 

6. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351 (a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

Claims 1-12 are rejected under 35 U.S.C. 102(a) as being anticipated by "NETASQ IPS-Firewalls. 
ASQ: Real-Time Intrusion Prevention" (referred as ASQ V.2 " hereinafter) (AUTHOR: UNKNOWN; 
PUBLISHED: 2003). 

As per Claim 1, ASQ V.2 teaches, 

A method for the detection and prevention of intrusions into a computer network with a firewall, 
the method comprising (see page 1): detecting the connections at a central point and before each branch 
of said network (see ASQ and IPS in the middle picture of page 3), selective filtering of the said 
connections, where said selective filtering stage includes firstly a stage for automatic recognition of the 
accessing protocol, independently of the communication port used by the said protocol, and secondly, 
after said accessing protocol has been recognized automatically, a stage for verifying the conformity of 
each communication flowing in a given connection to the said protocol (see Analysis of Application 
Protocols (ASQ plug-ins) in pages 5-7), to deliver a dynamic authorization for communications resulting 
from normal operation of the protocol (see picture in page 1; Dynamic Filtering; and section Filtering (ASQ 
Dynamic Filtering) in page 4) and to deliver a dynamic rejection for communications resulting from 
abnormal operation of the protocol (see picture in page 1; Dynamic Filtering; and section Filtering (ASQ 
Dynamic Filtering), 
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wherein said check on conformity is performed layer by layer, by successive protocol analysis of 
each part of the data packet flowing in the connection corresponding to a given protocol, from the lowest 
protocol to the highest protocol (see Principles of Packet Handling in page 3), and wherein, since each 
main connection enabled is able to induce one or more secondary connections, said check on conformity 
detects the data necessary for opening said secondary connections and attaches said secondary 
connections to the authorization for connection of said main connection (see Protocol Analysis, Fragment 
Analysis, Global Context Analysis and Filtering in page 4; and ASQ strengths in page 9). 

As per Claim 2, asq v.2 teaches, 

A method according to claim 1, wherein, as long as the accessing protocol of a connection is not 
recognized, the data are accepted but not transmitted (see section Principles of Packet Handling and 
ASQ's strengths in page 3 & 9). 

As per Claim 3-4, asq v.2 teaches, 

A method according to claim 2, wherein, if the number of data packets accepted but not 
transmitted exceeds a certain threshold, or if the data are accepted but not transmitted for a time 
exceeding a certain threshold, then the connection is considered not to have been analyzed; and wherein 
if the data are accepted but not transmitted for a time exceeding a certain threshold, then the connection 
is considered not to have been analyzed (see section Real-time Monitoring and Historical Logging and 
ASQ's strengths in pages 8-9). 

As per Claim 5, asq v.2 teaches, 

A method according to claim 2, wherein, when the accessing protocol of a connection is not 
automatically recognized, said step of checking on conformity of each communication flowing in a given 
connection to said protocol is replaced by a step of generic checking of coherence of data packets (see 
section Analysis of Application Protocols (ASQ plug-ins) from page 5 to 9). 
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As per Claim 6, asq v.2 teaches, 

A device for the detection and prevention of intrusions into a computer network, comprising (see 
section ASQ: Real-Time Intrusion Prevention in page 1): 

a firewall (see page 1), a resource for preventing intrusions by detection of the connections (ASQ 
engine), directly incorporated into said firewall at a central point and before each branch of said network, 
where said resource for the prevention of intrusions includes a resource for selective filtering of said 
connections by automatic recognition of the accessing protocol, independently of the communication port 
used by said protocol (see section An integrated Firewall / IPS Solution in page 1), wherein said selective 
filtering resource includes at least one independent module for the analysis of at least one given 
communication protocol, and at least one of the independent modules includes: i. unit for the automatic 
recognition of a given communication protocol (see section Protocol Analysis in page 4), ii. unit for 
verifying the conformity of the communication flowing in a given connection to the said protocol (see 
picture in page 1; Dynamic Filtering; and section Filtering (ASQ Dynamic Filtering) in page 4), iii. means 
for delivering a dynamic authorization for communications resulting from normal operation of the protocol, 
and delivering a dynamic rejection for communications resulting from abnormal operation of the protocol 
(see picture in page 1; Real Time Intrusion Prevention), and iv. means of transmission of a part of a data 
packet to an independent analysis module of a hierarchically higher protocol (see section Principle of 
Packet Handling in page 2). 

As per Claim 7, asq v.2 teaches, 

A device according to claim 6, wherein, in addition to the independent module or modules for the 
analysis of a given communication protocol, the device includes an independent generic module which 
attaches itself to the connections for which the protocol has been recognized by none of the other said 
independent modules (see section Analysis of Application Protocols (ASQ plug-ins); and picture in page 3 
- IPS-Plugin). 
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As per Claim 8, asq v.2 teaches, 

A device according to claim 6, wherein the device includes an interface for entry, by a user, of the 
criteria that determine the filtering policy (see Interfaces in pages 5 & 6). 

As per Claim 9-10, asq v.2 teaches, 

A device according to claim 8, wherein, said interface receives the criteria specified in natural 
language by the user; and wherein said criteria specified in natural language include at least one protocol 
name (see [HTTP], [FTP], [DNS], [e Donkey], [H323], [RIP] and [Generic] n pages 6 and 7). 

As per Claim 11, ASQ V.2 teaches, 

A device according to claim 8, wherein said interface allows the activation or deactivation of each 
of said independent modules (see Protocol Analysis, Fragment Analysis, Global Context Analysis and 
Filtering in page 4; and ASQ strengths in page 9). 

As per Claim 12, asq v.2 teaches, 

A device according to claim 6, wherein the device includes a resource for statistical processing of 
the connection data, and a resource for storage of said connection data and processed data (see section 
Real-time Monitoring and Historical Logging in page 8). 

Claims 1-12 are rejected under 35 U.S.C. 102(e) as being anticipated by " YADAV " (US 7,174,566). 

As per Claim 1, yadav teaches, 

A method for the detection and prevention of intrusions into a computer network with a firewall 
(see abstract; and col. 1, lines 6-8), the method comprising: detecting the connections at a central point 
and before each branch of said network (see MONITOR INBOUND TRAFFIC AND TRAFFICT 
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CORRESPONDING TO A WATCH LIST 105 IN Fig. 1), selective filtering of the said connections (see 
col.7, line 19 to col. 8, line 15), where said selective filtering stage includes firstly a stage for automatic 
recognition of the accessing protocol, independently of the communication port used by the said protocol 
(see Fig. 3), and secondly, after said accessing protocol has been recognized automatically, a stage for 
verifying the conformity of each communication flowing in a given connection to the said protocol (see 
COMPARE REQUEST WITH NETWORK POLICY 320 and NETWORK POLICY SATISFIED? 325 IN Fig. 
3), to deliver a dynamic authorization for communications resulting from normal operation of the protocol 
(see NOTIFY NETWORK TRAFFIC ENFORCER OF OPEN CHANNEL 330 IN Fig. 3) and to deliver a 
dynamic rejection for communications resulting from abnormal operation of the protocol (see NOTIFY 
INTRUSION DETECTOR OF UNAUTHORIZED REQUEST 335 IN Fig. 3), 

wherein said check on conformity is performed layer by layer, by successive protocol analysis of 
each part of the data packet flowing in the connection corresponding to a given protocol, from the lowest 
protocol to the highest protocol (see LOAD APPLICATION-SPECIFIC NETWORK POLICY 310 in Fig. 3), 
and wherein, since each main connection enabled is able to induce one or more secondary connections, 
said check on conformity detects the data necessary for opening said secondary connections and 
attaches said secondary connections to the authorization for connection of said main connection (see 
APPLICATION AND RULE ENFORCER COMPONENT ARE INVOKED 300 and IDENTITY INVOKED 
APPLICATION (APPLY HASH FUNCTION AND CHECK RESULT) 305 in Fig. 3). 

As per Claim 2, yadav teaches, 

A method according to claim 1 , wherein, as long as the accessing protocol of a connection is not 
recognized, the data are accepted but not transmitted (see SEND UNAUTHORIZED COMMUNICATION 
TO INTRUSION DETECTOR and BLOCK UNAUTHORIZED COMMUNICATION in Fig. 4; and fro 
example, col. 8, lines 16-33). 



As per Claim 3-4, yadav teaches, 
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A method according to claim 2, wherein, if the number of data packets accepted but not 
transmitted exceeds a certain threshold (see COMPARE WITH CONFIGURABLE THRESHOLD 555 in 
Fig. 5A), or if the data are accepted but not transmitted for a time exceeding a certain threshold (see Time 
Elapsed in Fig. 58), then the connection is considered not to have been analyzed; and wherein if the data 
are accepted but not transmitted for a time exceeding a certain threshold, then the connection is 
considered not to have been analyzed (see Fig. 5B; and for example, col. 9, lines 4-52). 

As per Claim 5, yadav teaches, 

A method according to claim 2, wherein, when the accessing protocol of a connection is not 
automatically recognized, said step of checking on conformity of each communication flowing in a given 
connection to said protocol is replaced by a step of generic checking of coherence of data packets (see 
Fig. 5A; and for example, col. 8, line 34 to col. 9, line 3). 

As per Claim 6, yadav teaches, 

A device for the detection and prevention of intrusions into a computer network (see abstract; and 
col. 1, lines 6-8; Fig. 2A-B and 6), comprising: a firewall, a resource for preventing intrusions by detection 
of the connections, directly incorporated into said firewall at a central point and before each branch of 
said network (see Intrusion Detection System 230, 234, 236 and 280 in Fig. 2A-B) where said resource 
for the prevention of intrusions includes a resource for selective filtering of said connections by automatic 
recognition of the accessing protocol, independently of the communication port used by said protocol, 
wherein said selective filtering resource includes at least one independent module for the analysis of at 
least one given communication protocol (see 224,... and 236,... in Fig. 2A) , and at least one of the 
independent modules includes (see col. 4, line 59 to col. 7, line 18): i. unit for the automatic recognition of 
a given communication protocol (see NETWORK TRAFFIC ENFORCER 282 in Fig. 2A), ii. unit for 
verifying the conformity of the communication flowing in a given connection to the said protocol (see 
INTRUSION DETECTOR 280 in Fig. 2A-B), iii. means for delivering a dynamic authorization for 
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communications resulting from normal operation of the protocol, and delivering a dynamic rejection for 
communications resulting from abnormal operation of the protocol (see APPLICATION RULE 
ENFORCER 284 in Fig. 3), and iv. means of transmission of a part of a data packet to an independent 
analysis module of a hierarchically higher protocol (see Network Transport Layer 260 in Fig. 2A-B). 

As per Claim 7, yadav teaches, 

A device according to claim 6, wherein, in addition to the independent module or modules for the 
analysis of a given communication protocol, the device includes an independent generic module which 
attaches itself to the connections for which the protocol has been recognized by none of the other said 
independent modules (see APPLICATION AND RULE ENFORCER COMPONENT ARE INVOKED 300 
and IDENTITY INVOKED APPLICATION (APPLY HASH FUNCTION AND CHECK RESULT) 305 in Fig. 
3; and for example, col. 7, line 19 to col. 8, line 15). 

As per Claim 8, yadav teaches, 

A device according to claim 6, wherein the device includes an interface for entry, by a user, of the 
criteria that determine the filtering policy (see Security Operation Center 242 & 292 in Fig. 2A-B; and for 
example, col. 5, lines 33-41). 

As per Claim 9-10, yadav teaches, 

A device according to claim 8, wherein, said interface receives the criteria specified in natural 
language by the user (see Response Needed? 515 in Fig. 5A; and for example, col. 5, lines 33-41 and 
col. 6, lines 17-24), wherein said criteria specified in natural language include at least one protocol name 
(see col. 1, lines 6-67). 



As per Claim 11, yadav teaches, 
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A device according to claim 8, wherein said interface allows the activation or deactivation of each 
of said independent modules (see Fig. 1, 3 and 5A-B; where independent modules analysis is disclosed). 

As per Claim 12, yadav teaches, 

A device according to claim 6, wherein the device includes a resource for statistical processing of 
the connection data, and a resource for storage of said connection data and processed data (see LOG 
NETWORK ACTIVITY 525, EXAMINE COMMUNICATION(S) FOR INTUSION PRELUDE PATTERNS 
505, LOG NETWORK ACTIVITY FOR LATER ANALYSIS 545 & 585 IN Fig. 5A-B). 

Conclusion 

7. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth 
in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 
the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date 
of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
shortened statutory period, then the shortened statutory period will expire on the date the advisory action 
is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the mailing date of this final action. 

CONTACT INFORMATION 

8. Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to AMARE TABOR whose telephone number is (571)270-3155. The examiner can normally 
be reached on Mon-Fri 8:00a.m. to 5:00p.m., EST. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Kristine Kincaid can be reached on (571) 272-4063. The fax phone number for the organization where 
this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) 
at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative 
or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272- 
1000. 

Amare Tabor 
(AU2139) 

/Kristine Kincaid/ 

Supervisory Patent Examiner, Art Unit 2139 



